Support disabling automatic use of TLS

[angerized]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello,

I came upon an issue with our Exchange send connector, that allows anonymous relay from some of our internal IP addresses.

Our connector advertises TLS but has no TLS Certificate bound to it (which is not a good thing), but in the past Nextcloud did not care and sent emails with no TLS using this same connector.

Recently, it seems that TLS is enforced by Symfony Mailer if STARTTLS is advertised at EHLO. And thus emails are not sent anymore, because of the aforementioned settings (or lack thereof) in our Exchange.

It worked perfectly in the past, so I don't know when emails started to be blocked, since no one told us and we stumbled upon it by chance.

After many attempts to troubleshoot the issue, it appears that Symfony added a new parameter in their 7.1 version, called "auto_tls" that allows it to not attempt TLS handshakes automatically:
https://symfony.com/doc/current/mailer.html#disabling-automatic-tls

Would it be possible to update Symfony and add this parameter reflecting it in config.php so that we could bypass TLS entirely, and avoid this kind of issues?

Kind regards.

Steps to reproduce

1. Try to send a test email using the administrator page
2. Email is not sent

Expected behavior

Email was working fine in the past, we should be able to bypass TLS entirely if we needed to.

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.11.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "htaccess.RewriteBase": "\/",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "maintenance": false,
        "theme": "",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "mail_smtpdebug": false,
        "skeletondirectory": "***REMOVED SENSITIVE VALUE***",
        "defaultapp": "files",
        "default_phone_region": "FR",
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/nextcloud\/apps_extra",
                "url": "\/apps_extra",
                "writable": true
            }
        ],
        "updater.release.channel": "stable",
        "mysql.utf8mb4": true,
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "PLAIN",
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.16
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - impersonate: 1.16.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.1
  - password_policy: 1.19.0
  - photos: 2.5.0
  - polls: 7.2.9
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - survey_client: 1.17.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - contacts: 5.5.3 (installed 5.5.3)
  - encryption: 2.17.0
  - files_external: 1.21.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - firstrunwizard: 2.18.0 (installed 2.1)
  - richdocuments: 8.3.7 (installed 8.3.7)
  - sharerenamer: 3.2.0 (installed 3.2.0)
  - suspicious_login: 7.0.0
  - twofactor_totp: 11.0.0-dev
  - user_saml: 6.1.3 (installed 6.1.3)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"wGQkWm0Y1mIGQAJH99lB","level":0,"time":"2025-02-03T10:51:56+00:00","remoteAddr":"XXXXXXXXXXX","user":"XXXXXXXXXXX","app":"core","method":"POST","url":"/settings/admin/mailtest","message":"Sending mail to \"Array\n(\n    [XXXXXXXXXXX] => XXXXXXXXXXX\n)\n\" with subject \"Test des paramètres de messagerie\" failed","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0","version":"29.0.11.1","exception":{"Exception":"Symfony\\Component\\Mailer\\Exception\\TransportException","Message":"Unable to connect with STARTTLS.","Code":0,"Trace":[{"file":"/var/www/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":253,"function":"doHeloCommand","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\EsmtpTransport","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":194,"function":"start","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/mailer/Transport/AbstractTransport.php","line":72,"function":"doSend","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":136,"function":"send","class":"Symfony\\Component\\Mailer\\Transport\\AbstractTransport","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/mailer/Mailer.php","line":45,"function":"send","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->"},{"file":"/var/www/nextcloud/lib/private/Mail/Mailer.php","line":232,"function":"send","class":"Symfony\\Component\\Mailer\\Mailer","type":"->"},{"file":"/var/www/nextcloud/apps/settings/lib/Controller/MailSettingsController.php","line":168,"function":"send","class":"OC\\Mail\\Mailer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"sendTestMail","class":"OCA\\Settings\\Controller\\MailSettingsController","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":331,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1060,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/EsmtpTransport.php","Line":116,"message":"Sending mail to \"Array\n(\n    [XXXXXXXXXXX] => XXXXXXXXXXX\n)\n\" with subject \"Test des paramètres de messagerie\" failed","exception":[],"CustomMessage":"Sending mail to \"Array\n(\n    [XXXXXXXXXXX] => XXXXXXXXXXX\n)\n\" with subject \"Test des paramètres de messagerie\" failed"},"id":"67a09fdc3748a"}

Additional info

No response

[joshtrichards]

It worked perfectly in the past, so I don't know when emails started to be blocked, since no one told us and we stumbled upon it by chance.

The Mailer was changed in NC v26 so it's been quite awhile. ;-) It is covered in the Critical changes section of the Admin Manual for v26: https://docs.nextcloud.com/server/26/admin_manual/release_notes/upgrade_to_26.html where we try to note stuff like this.

Would it be possible to update Symfony and add this parameter reflecting it in config.php so that we could bypass TLS entirely, and avoid this kind of issues?

Would also help with proposed enhancement #41935.

Our connector advertises TLS but has no TLS Certificate bound to it (which is not a good thing), but in the past Nextcloud did not care and sent emails with no TLS using this same connector.

The Mailer version we're up to at the moment (6.4 in v31 & dev/master) is still well supported (it's an LTS release). Can't say with any certainty when someone will get around to evaluating deprecations and breaking changes in the 7.x Symfony cycle.

Not sure the characteristics of your environment, but fixing that connector might be faster... and a good idea to fix either way. ;-)

EDIT: Another factor is when we formally drop support for PHP 8.1 since Symfony 7.x requires >= 8.2.

[angerized]

Thank you for your reply.

Not sure the characteristics of your environment, but fixing that connector might be faster... and a good idea to fix either way. ;-)

Sure, we are indeed trying to fix this behavior on our connector's end anyway, but this would be a good option to have in the end imho. There is probably a good reason it got added in Symfony 7.1 :)

I am completely aware of the implications of this on Nextcloud's codebase though, and understand that it might take some time before it ends up there.

Kind regards.

[susnux]

We'll be keeping this issue open to gauge community interest. We often prioritize features based on the number of 👍 reactions (on the initial request!), so if you and others find this useful, please show your support!